Event Log Tampering Part 1: Disrupting the EventLog Service

You Can’t See Me
  • Service Host Thread Tampering (Invoke-Phant0m)
  • Patching the Event Service (Mimikatz)
  • Downgrading Windows Components (Adding MiniNT key)
  • Evtx Structure & Manual Event Editing (A must-read to understand the following sections)
  • Event Record Unreferencing (Shadow Brokers Tools DanderSpritz/eventlogedit)
  • Rewriting Logs with WinAPI EvtExportLog (3gstudent’s evolutions of eventlogedit)

Disrupting the EventLog Service

Service Host Thread Tampering

A time gap in logs from where I started Phant0m and restarted the service.

Patching the Event Service

Downgrading Windows Components

reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\MiniNt”

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

GIMP’s puzzling Unbound Variable Error

What Is Outsourced Mobile App Development ?

PostgreSQL EXPLAIN Explained

The Science of Building a UI: Adding Content and Applying Style (Part 2)

A cat image rendered in the various manners: no scaling, filling, fitting, covering (centered) and covering (aligned).

All about default main.dart in Flutter

Inside Milvus 1.1.0

Phagocytosis DevLog #2 — Environment Interactions and Dialog

Hosting an app on heroku simplified

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
svch0st

svch0st

More from Medium

Understanding IMAP/SMTP injection

Active Directory Lab Setup -Part 2-Setting Roles on Domain Controller

Monitor events with ELK Stack : Foward Log with Rsyslog and Syslog-ng.

Business Logic Errors - Art of Testing Cards